Index: sys/kern/sys_generic.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/sys_generic.c,v
retrieving revision 1.55.2.10
diff -c -r1.55.2.10 sys_generic.c
*** sys/kern/sys_generic.c	17 Mar 2001 10:39:32 -0000	1.55.2.10
--- sys/kern/sys_generic.c	23 Sep 2003 17:52:41 -0000
***************
*** 231,237 ****
  	register struct filedesc *fdp = p->p_fd;
  	struct uio auio;
  	register struct iovec *iov;
! 	struct iovec *needfree;
  	struct iovec aiov[UIO_SMALLIOV];
  	long i, cnt, error = 0;
  	u_int iovlen;
--- 231,237 ----
  	register struct filedesc *fdp = p->p_fd;
  	struct uio auio;
  	register struct iovec *iov;
! 	struct iovec *needfree = NULL;
  	struct iovec aiov[UIO_SMALLIOV];
  	long i, cnt, error = 0;
  	u_int iovlen;
***************
*** 245,258 ****
  	/* note: can't use iovlen until iovcnt is validated */
  	iovlen = uap->iovcnt * sizeof (struct iovec);
  	if (uap->iovcnt > UIO_SMALLIOV) {
! 		if (uap->iovcnt > UIO_MAXIOV)
! 			return (EINVAL);
  		MALLOC(iov, struct iovec *, iovlen, M_IOV, M_WAITOK);
  		needfree = iov;
! 	} else {
  		iov = aiov;
- 		needfree = NULL;
- 	}
  	auio.uio_iov = iov;
  	auio.uio_iovcnt = uap->iovcnt;
  	auio.uio_rw = UIO_READ;
--- 245,258 ----
  	/* note: can't use iovlen until iovcnt is validated */
  	iovlen = uap->iovcnt * sizeof (struct iovec);
  	if (uap->iovcnt > UIO_SMALLIOV) {
! 		if (uap->iovcnt > UIO_MAXIOV) {
! 			error = EINVAL;
! 			goto done;
! 		}
  		MALLOC(iov, struct iovec *, iovlen, M_IOV, M_WAITOK);
  		needfree = iov;
! 	} else
  		iov = aiov;
  	auio.uio_iov = iov;
  	auio.uio_iovcnt = uap->iovcnt;
  	auio.uio_rw = UIO_READ;
